768312 – Logging into CVS server causes AVC denial

Bug 768312 - Logging into CVS server causes AVC denial

Summary: Logging into CVS server causes AVC denial

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	773197 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-12-16 10:25 UTC by Petr Sklenar
Modified:	2012-06-20 12:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-138.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-20 12:29:53 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0780	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-06-19 20:34:59 UTC

Description Petr Sklenar 2011-12-16 10:25:46 UTC

Description of problem:
Login into CVS server causes AVC denial

Version-Release number of selected component (if applicable):
# rpm -qa | grep selinux
libselinux-devel-2.0.94-5.2.el6.x86_64
selinux-policy-3.7.19-126.el6.noarch
libselinux-2.0.94-5.2.el6.x86_64
libselinux-utils-2.0.94-5.2.el6.x86_64
selinux-policy-targeted-3.7.19-126.el6.noarch

# cvs-1.11.23-11.el6_0.1.x86_64


How reproducible:
deterministic

Steps to Reproduce:
0. clear and fresh rhel62 machine
1. disable = no in /etc/xinetd.d/cvs
2. service xinetd restart
2. useradd petr && echo 1234 | passwd --stdin petr
3. cvs -d ":pserver:petr:1234.0.1:/var/cvs" login
  
Actual results:
cvs command pass:
Logging in to :pserver:petr.0.1:2401/var/cvs

but there is avc denial:

type=AVC msg=audit(1324030525.407:86470): avc:  denied  { dac_override } for  pid=2687 comm="cvs" capability=1  scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1324030525.407:86470): avc:  denied  { dac_read_search } for  pid=2687 comm="cvs" capability=2  scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tclass=capability

Expected results:
no denial

Additional info:

Comment 1 Daniel Walsh 2011-12-16 11:36:56 UTC

This looks like you have a UID/Permission problem.  Could you turn on full auditing.

auditctl -w /etc/shadow -p w

And then recreate this AVC, it will then contain a path to the file that is causing the problem.

Comment 2 Petr Sklenar 2011-12-16 12:22:17 UTC

I did `auditctl -w /etc/shadow -p w`
then there is the same AVC, no path to any file, no inode:

type=AVC msg=audit(1324037977.845:86614): avc:  denied  { dac_override } for  pid=5399 comm="cvs" capability=1  scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1324037977.845:86614): avc:  denied  { dac_read_search } for  pid=5399 comm="cvs" capability=2  scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tclass=capability

Comment 3 Petr Sklenar 2011-12-16 12:28:05 UTC

err, sorry ignore Comment 2.

there is more info during such an avc in /var/log/audit/audit.log:

type=AVC msg=audit(1324038324.305:86623): avc:  denied  { dac_override } for  pid=5410 comm="cvs" capability=1  scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1324038324.305:86623): avc:  denied  { dac_read_search } for  pid=5410 comm="cvs" capability=2  scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1324038324.305:86623): arch=c000003e syscall=2 success=no exit=-13 a0=7f93173006bb a1=80000 a2=1b6 a3=0 items=1 ppid=5362 pid=5410 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cvs" exe="/usr/bin/cvs" subj=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1324038324.305:86623):  cwd="/"
type=PATH msg=audit(1324038324.305:86623): item=0 name="/etc/shadow" inode=1049715 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
type=USER_AUTH msg=audit(1324038324.347:86624): user pid=5410 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="petr" exe="/usr/bin/cvs" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1324038324.352:86625): user pid=5410 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="petr" exe="/usr/bin/cvs" hostname=? addr=? terminal=? res=success'


# ls -Z /usr/bin/cvs /etc/shadow
----------. root root system_u:object_r:shadow_t:s0    /etc/shadow
-rwxr-xr-x. root root system_u:object_r:cvs_exec_t:s0  /usr/bin/cvs

Comment 4 Milos Malik 2011-12-17 05:18:32 UTC

Easy to reproduce.

Comment 5 Milos Malik 2011-12-17 05:21:56 UTC

If allow_cvs_read_shadow boolean is set to 1, these AVCs do not appear any more.

Comment 6 Milos Malik 2011-12-17 05:30:19 UTC

During the time I tried to reproduce the bug I came across another AVC. It appear when you try to add some file into the CVS repository.

# mkdir /var/cvs/CVSROOT
# date > pokus.txt
# cvs -d ":pserver:randomuser:r4nd0m123.0.1:/var/cvs" add pokus.txt

----
time->Sat Dec 17 00:15:19 2011
type=SYSCALL msg=audit(1324098919.059:124738): arch=80000015 syscall=33 success=no exit=-13 a0=1003fbf29f0 a1=0 a2=0 a3=7fffffff items=0 ppid=30764 pid=30910 auid=0 uid=503 gid=506 euid=503 suid=503 fsuid=503 egid=506 sgid=506 fsgid=506 tty=(none) ses=7531 comm="cvs" exe="/usr/bin/cvs" subj=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1324098919.059:124738): avc:  denied  { search } for  pid=30910 comm="cvs" name="randomuser" dev=sda2 ino=3075038 scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
----

Comment 7 Miroslav Grepl 2011-12-18 20:00:58 UTC

Yes, there is a boolean.

Comment 8 Miroslav Grepl 2011-12-19 09:32:22 UTC

Closed by accident. The "search" AVC remains.

Comment 9 Milos Malik 2011-12-19 09:36:06 UTC

Interesting fact is that the AVC always contains "success=no" even if the reproducer ran in permissive mode.

Comment 10 Daniel Walsh 2011-12-19 19:16:33 UTC

I guess if the SYSCALL is failing for a reason outside of SELinux this could happen, such as DAC.

Comment 11 Daniel Walsh 2011-12-19 19:19:09 UTC

audit2allow -i /tmp/t1


#============= cvs_t ==============
#!!!! This avc can be allowed using the boolean 'allow_cvs_read_shadow'

allow cvs_t self:capability dac_override;
allow cvs_t self:capability dac_read_search;

Or setroubleshoot should have told us this fix was available.

Comment 12 Petr Sklenar 2012-01-11 10:12:03 UTC

*** Bug 773197 has been marked as a duplicate of this bug. ***

Comment 16 Daniel Walsh 2012-01-27 20:38:14 UTC

Maybe we should dontaudit this checks, since it probably will not work if you are not running the cvs daemon as root.

Comment 17 Miroslav Grepl 2012-01-30 10:41:58 UTC

I agree. We don't audit it in RHEL5.

Comment 22 errata-xmlrpc 2012-06-20 12:29:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html

Note You need to log in before you can comment on or make changes to this bug.